[PATCH] Implement a more abstracted kpasswd service

Andreas Schneider asn at samba.org
Mon Sep 12 07:32:15 UTC 2016 

On Saturday, 10 September 2016 13:21:59 CEST Andrew Bartlett wrote:
> I see Jeremy is doing a careful review, but I've also given this a
> quick look over, and it certainly seems reasonable.
> 
> I also wish to give an apology to you and your team for some historical
> bad advise:  I recall suggesting you could avoid gensec_krb5 if you
> avoided implementing the kpasswd server, both of which you have now
> needed to do.

The reason for implementing the kpasswd server is that the kadmind from MIT 
Kerberos doesn't provide a way to check ACLs using the KDB plugin.

Why do we have/need gensec_krb5?

Each GSSAPI functions creates a new krb5_context and throws it away when the 
function is done.

However we need to load the HDB/KDB plugin we have so we can access the keytab 
to decrypt tickets. Registering the plugin is done on the krb5_context but we 
are not able to use that as GSSAPI is creating a new context for each call.

To fix that MIT Kerberos has a call krb5_ktkdb_set_context(). It is used to 
set a different context for ktkdb_get_entry(). GSSAPI has its own context but 
to access the KDB we need a context with the KDB keytab operations registered. 
This functions allows it. The function is not public but we could look into it 
and check if we can do something similar in Heimdal.

We should get rid of the gensec_krb5 module at least in production.

> I think this is the right choice, it is much easier to ensure we get
> the correct protocol semantics this way, but I know your team spent
> quite some resources on the attempt to use the MIT kpasswd server.

gensec_krb5 is used in testing to verify that some old Samba client behavior 
still works against the current Samba AD KDC. I don't know which version had 
this strange behavior it would be great to know which versions that really 
are.

> Thanks for all the hard work on this, it is critical work and really
> important to the long term viability of Samba.

Thanks, I hope we can work on some things during the Samba IO Lab and find and 
fix some bugs.


Cheers,


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list